SCOM AD Replication Monitoring Failed (fSMORoleOwner attribute)

This is a repost of an excellent blog by René van Maasakkers (https://www.more2know.nl/2011/04/22/opsmgrscom-2007-r2-ad-replication-monitoring-failed-fsmoroleowner-attribute/). Some companies block non-Microsoft blogs :(  

Problem

  1. Warning from the Active Directory Management Pack. Active Directory is running fine but OpsMgr find something what seems like corruption.
  2. Warnings from all the Domain Controllers “Script Based Test Failed to Complete“.
  3. Event ID 1000 in the “OperationManager” event log on the DC

Sample Warning:
AD Replication Monitoring : encountered a runtime error. Failed to obtain the InfrastructureMaster using a well known GUID.
The error returned was: ‘Failed to get the ‘fSMORoleOwner’ attribute from the object ‘LDAP://nlnbdcsrv01.more2know.local/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd, DC=ForestDnsZones,DC=more2know,DC=local>’.
The error returned was: ‘There is no such object on the server.’ (0×80072030)’ (0×80072030)

If you read the warning, The real error is “There is no such object on the server”

The problem is that the AD Attribute “fSMORoleOwner” for the infrastructureMaster is set to an Old DC. The value was “CN=NTDS Settings\0ADEL:b6bc57e7-dbbf-41e5-82d2-7bc4b166af3f,CN=<OLDServername>\0ADEL:ae94f589-9bd8-4ec3-af7f-54afaf662beb,CN=Servers,CN=<SiteName>,CN=Sites,CN=Configuration,DC=domain,DC=local”. It was referencing an old DC that was demote a long time ago. It was demoted a long time ago. These settings are in the partition ForestDnsZones and DomainDNSZones.   We must have so change the value to the DN of the current Infrastructure Master. Microsoft has the seen this same error when you want to Run adprep /rodcprep. See https://support.microsoft.com/kb/949257 

 

Solution

Step 1. Find out what the correct DN of the Infrastructure Master

  1. Run Adsiedit.msc
  2. Connect to the server which hold the infrastructure Role
  3. Connect to CN=Configuration,DC=<domain>,DC=<suffix>.
  4. Expand CN=Sites -> CN=”Site of the IM” -> CN=Servers -> CN=”Infrastucture Master”
  5. Open the Properties of CN=NTDS Settings
  6. Find DistinguishedName and copy the value


  

Step 2. Change the ForestDnsZone fSMORoleOwner

  1. Run Adsiedit.msc
  2. Connect to the server which hold the infrastructure Role
  3. Connect to DC=ForestDnsZones,DC=<domain>,DC=<suffix>.
  4. Open the properties for the Infrastructure object.
  5. Check the fSMORoleOwner attribute.
  6. Specify an infrastructure role owner that is online for the partition. You can do this by manually modifying the fSMORoleOwner attribute on the object.

The value is formatted like:  CN=NTDS Settings,CN=<hostname>,CN=Servers,CN=<sitename>,CN=Sites, CN=Configuration,DC=domain,DC=local

Connect to the Infrastructure Master (IM) and select ForestDnsZones


Update/correct the fSMORoleOwner as needed.

Step 3. Change the DomainDnsZone fSMORoleOwner

  1. Run Adsiedit.msc
  2. Connect to the server which hold the infrastructure Role
  3. Connect to DC=DomainDnsZones,DC=<domain>,DC=<suffix>.
  4. Open the properties for the Infrastructure object.
  5. Check the fSMORoleOwner attribute.
  6. Specify an infrastructure role owner that is online for the partition. You can do this by manually modifying the fSMORoleOwner attribute on the object.
  7. The value is formatted like: CN=NTDS Settings,CN=<hostname>,CN=Servers,CN=<sitename>,CN=Sites, CN=Configuration,DC=domain,DC=local

!! Note. You need to connect to the DC that currently is the Infrastructure FSMO. If you connect to any other DC you will get a error message saying “000020Ae: svcErr:DSID-031524F1, problem 5003 (WILL_NOT_PERFORM), data 0”

Comments

  • Anonymous
    November 25, 2017
    Correction. 000020AE= ERROR_DS_INVALID_ROLE_OWNER. AD will only allow you to set an fSMORoleOwner to the the DC you are doing it from, as mentioned in the constraints in ADTS (https://msdn.microsoft.com/en-us/library/cc223462.aspx)."If the fSMORoleOwner attribute is modified, then the only allowed attribute value is the DN of the DSA object of the current DC; for all other values, unwillingToPerform / ERROR_DS_INVALID_ROLE_OWNER is returned. In other words, the FSMO role can only be "taken" or transferred to the current DC. It cannot be given away."